github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-24 20:24:09 +00:00
Code Issues Projects Releases Wiki Activity

Add an impersonation test case to the audit E2E test

Browse Source
This commit is contained in:
Dennis Czombera 2018-11-19 14:03:16 +01:00
parent 7ba79c3183
commit f9df691c72
2 changed files with 67 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
test/e2e/auth/audit.go
View File

@ -79,6 +79,16 @@ var _ = SIGDescribe("Advanced Audit", func() {
anonymousClient, err := clientset.NewForConfig(config) anonymousClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err) framework.ExpectNoError(err)
By("Creating a kubernetes client that impersonates an authorized user")
config, err = framework.LoadConfig()
framework.ExpectNoError(err)
config.Impersonate = restclient.ImpersonationConfig{
UserName: "superman",
Groups: []string{"system:masters"},
}
impersonatedClient, err := clientset.NewForConfig(config)
framework.ExpectNoError(err)
testCases := []struct { testCases := []struct {
action func() action func()
events []utils.AuditEvent events []utils.AuditEvent
@ -668,6 +678,30 @@ var _ = SIGDescribe("Advanced Audit", func() {
}, },
}, },
}, },
// List pods as impersonated user.
{
func() {
_, err = impersonatedClient.CoreV1().Pods(namespace).List(metav1.ListOptions{})
framework.ExpectNoError(err, "failed to list pods")
},
[]utils.AuditEvent{
{
Level: auditinternal.LevelRequest,
Stage: auditinternal.StageResponseComplete,
RequestURI: fmt.Sprintf("/api/v1/namespaces/%s/pods", namespace),
Verb: "list",
Code: 200,
User: auditTestUser,
ImpersonatedUser: "superman",
ImpersonatedGroups: "system:masters",
Resource: "pods",
Namespace: namespace,
RequestObject: false,
ResponseObject: false,
AuthorizeDecision: "allow",
},
},
},
} }
// test authorizer annotations, RBAC is required. // test authorizer annotations, RBAC is required.
@ -690,6 +724,8 @@ var _ = SIGDescribe("Advanced Audit", func() {
Verb: "get", Verb: "get",
Code: 403, Code: 403,
User: auditTestUser, User: auditTestUser,
ImpersonatedUser: "system:anonymous",
ImpersonatedGroups: "system:unauthenticated",
Resource: "pods", Resource: "pods",
Namespace: namespace, Namespace: namespace,
RequestObject: false, RequestObject: false,

9
test/utils/audit.go
View File

@ -20,6 +20,8 @@ import (
"bufio" "bufio"
"fmt" "fmt"
"io" "io"
"sort"
"strings"
"k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/runtime"
"k8s.io/apimachinery/pkg/runtime/schema" "k8s.io/apimachinery/pkg/runtime/schema"
@ -34,6 +36,8 @@ type AuditEvent struct {
Verb string Verb string
Code int32 Code int32
User string User string
ImpersonatedUser string
ImpersonatedGroups string
Resource string Resource string
Namespace string Namespace string
RequestObject bool RequestObject bool
@ -101,6 +105,11 @@ func parseAuditLine(line string, version schema.GroupVersion) (AuditEvent, error
if e.RequestObject != nil { if e.RequestObject != nil {
event.RequestObject = true event.RequestObject = true
} }
if e.ImpersonatedUser != nil {
event.ImpersonatedUser = e.ImpersonatedUser.Username
sort.Strings(e.ImpersonatedUser.Groups)
event.ImpersonatedGroups = strings.Join(e.ImpersonatedUser.Groups, ",")
}
event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"] event.AuthorizeDecision = e.Annotations["authorization.k8s.io/decision"]
return event, nil return event, nil
} }